Ultra Antivir 2009 (UltraAntivir2009) is a new rogue. It belongs to the same family as Virusdoctor, VirusMelt, VirusAlarm. The GUI is always the same, only the title name is changing.
Fake online scanners are redirecting to a new (and less expensive) way of hosting malware: Google Code.
trdatasft.com (64.86.17.9)
vmfastscanner.com (64.86.17.9)
tdncgo2009.com (64.86.133.91)
websecscan.com (64.86.133.91)
mysupervisorpop.co.cc (64.86.16.210)
onlinesecurescan.com (64.86.16.210)
vm-onlinescan.net (206.53.61.69)
virusalarm-scanvirus.net (206.53.61.76)
onlinescan-ultraantivirus2009.com (206.53.61.76)
Ultra Antivir 2009 removal instructions
Thanks to Bharath's.
Friday, March 27, 2009
Saturday, March 21, 2009
Antivirus Agent Pro
The Rogue, Antivirus Agent Pro, detects infection on a clean system. It creates random junk files (not executable) and triggers them as infected.
Thanks to Miekiemoes.
Thanks to Miekiemoes.
Libellés :
Rogues
Friday, March 20, 2009
Total Security
Total Security is a fake security application. It belongs to Antivirus 360 rogues family (same GUI).
It downloads files from:
platinumsecurityupdate.com (212.117.165.126)
antispywareupdateservice.com (89.149.217.205)
212.117.165.126 is a shared IP with Antivirus 2009 website and installer:
webscannertools.com (212.117.165.126)
central-scan.com (212.117.165.126)
BleepingComputer Removal Guide.
Bharath's Security Blog
It downloads files from:
platinumsecurityupdate.com (212.117.165.126)
antispywareupdateservice.com (89.149.217.205)
212.117.165.126 is a shared IP with Antivirus 2009 website and installer:
webscannertools.com (212.117.165.126)
central-scan.com (212.117.165.126)
BleepingComputer Removal Guide.
Bharath's Security Blog
Libellés :
Anti200X,
Rogues,
ScreenShots
Wednesday, March 18, 2009
Renus2008
Renus 2008 is a Fake Security application.
Renus 2008 always detects the same infections files as items strings are hardcoded in the application:
Thanks to Bharath (on Sunbelt Blog).
BleepingComputer Virus-Removal.
Renus 2008 always detects the same infections files as items strings are hardcoded in the application:
Thanks to Bharath (on Sunbelt Blog).
BleepingComputer Virus-Removal.
Libellés :
Rogues,
ScreenShots
Monday, March 16, 2009
WinPC Defender
WinPC Defender is a Fake Security application (from the same creators of XP Police Antivirus, IE-Security, WinDefender 2009 and Total Secure 2009).
Let's see how the rogue detects infection when registered (no reboot, no cleaning):
Nothing more. All detected infections (1st capture) have disappeared !
win-pc-defender.com (206.125.44.28)
xp-police-09.com (206.125.44.28)
xp-police-2009.com (206.125.44.28)
xp-police-antivirus.com (206.125.44.28)
xp-police-av.com (206.125.44.28)
xp-police-engine.com (206.125.44.28)
xp-police.com (206.125.44.28)
XP-Police MAD, XP-Police/IEDef symptoms MAD.
BleepingComputer Removal Guide.
Let's see how the rogue detects infection when registered (no reboot, no cleaning):
Nothing more. All detected infections (1st capture) have disappeared !
win-pc-defender.com (206.125.44.28)
xp-police-09.com (206.125.44.28)
xp-police-2009.com (206.125.44.28)
xp-police-antivirus.com (206.125.44.28)
xp-police-av.com (206.125.44.28)
xp-police-engine.com (206.125.44.28)
xp-police.com (206.125.44.28)
XP-Police MAD, XP-Police/IEDef symptoms MAD.
BleepingComputer Removal Guide.
Libellés :
Rogues,
ScreenShots,
Sig.
Thursday, March 12, 2009
RegistryFox Rogue
RegistryFox is a Fake Security application from AntiSpyware LLC. The same company that use to create SmitfraudFixTool rogue (from the original and legit application SmitfraudFix), MalwareRemovalBot Rogue, and many other fake stuff.
The two rogue websites are hosted on the same server:
malwareremovalbot.com (74.53.169.2)
registryfox.com (74.53.169.2)
The application is contacting database.registrysmart.com (75.125.200.226) to update the "heavy" data base: 7Kb. IP shared with other rogues softwares:
adwarealert.com (75.125.200.226)
evidenceeraser.com (75.125.200.226)
registrysmart.com (75.125.200.226)
restore-pc.com (75.125.200.226)
In the code, there is a reference to file (DataBase.ref) downloaded from 2squared.com (75.125.61.162):
antispywarebot.com (75.125.61.162)
errorsweeper.com (75.125.61.162)
privacycontrol.com (75.125.61.162)
regclean.com (75.125.61.162)
There is also a link to Antispyware 2009 Rogue setup:
antispyware.com (75.125.241.58)
adwarebot.com (75.125.241.58)
antispyware2009.com (75.125.241.58)
errorsmart.com (75.125.241.58)
regsweep.com (75.125.241.58)
Thanks to NoVirusThanks
The two rogue websites are hosted on the same server:
malwareremovalbot.com (74.53.169.2)
registryfox.com (74.53.169.2)
The application is contacting database.registrysmart.com (75.125.200.226) to update the "heavy" data base: 7Kb. IP shared with other rogues softwares:
adwarealert.com (75.125.200.226)
evidenceeraser.com (75.125.200.226)
registrysmart.com (75.125.200.226)
restore-pc.com (75.125.200.226)
In the code, there is a reference to file (DataBase.ref) downloaded from 2squared.com (75.125.61.162):
antispywarebot.com (75.125.61.162)
errorsweeper.com (75.125.61.162)
privacycontrol.com (75.125.61.162)
regclean.com (75.125.61.162)
There is also a link to Antispyware 2009 Rogue setup:
antispyware.com (75.125.241.58)
adwarebot.com (75.125.241.58)
antispyware2009.com (75.125.241.58)
errorsmart.com (75.125.241.58)
regsweep.com (75.125.241.58)
Thanks to NoVirusThanks
Libellés :
AntiSpyware LLC,
Registry Cleaners,
Rogues,
ScreenShots
Wednesday, March 4, 2009
WinCoDecPRO Fake Codec
WinCoDecPRO is a Rogue like fake software.
While Rogues detect fake infections on a clean system and display alerts message, WinCoDecPRO displays fake codec error, redirecting infected user to WinCoDecPRO web site.
When Trying to run Windows Media Player, the malware closes it and displays a messagebox, choosing the text in a hardcoded list:
It also display regularly popups alerts:
The modified wallpaper:
While Rogues detect fake infections on a clean system and display alerts message, WinCoDecPRO displays fake codec error, redirecting infected user to WinCoDecPRO web site.
When Trying to run Windows Media Player, the malware closes it and displays a messagebox, choosing the text in a hardcoded list:
It also display regularly popups alerts:
The modified wallpaper:
Libellés :
DesktopHijack,
FakeCodec,
ScreenShots
Subscribe to:
Posts (Atom)